[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

v2.5 Certificate Management Library (CML) Now Available

To: <imc-cml@xxxxxxx>
Subject: v2.5 Certificate Management Library (CML) Now Available
From: "Horvath, Tom" <tom.horvath@xxxxxxxxxxxxxx>
Date: Wed, 6 Apr 2005 12:51:17 -0400
List-archive: <http://www.imc.org/imc-cml/mail-archive/>
List-id: <imc-cml.imc.org>
List-unsubscribe: <mailto:imc-cml-request@imc.org?body=unsubscribe>
Sender: owner-imc-cml@xxxxxxxxxxxx
Thread-index: AcU6yNml1jlJ9PKMSiqHayRk3snwVA==
Thread-topic: v2.5 Certificate Management Library (CML) Now Available

All,

BAE Systems has delivered the Version 2.5 Certificate Management Library
(CML) for Microsoft Windows, Sun Solaris and Linux. The v2.5 CML and
documentation is freely available at:
<http://www.digitalnet.com/knowledge/cml_home.htm>.  

Applications requiring Public Key Infrastructure (PKI) security services
can use the CML to meet their X.509 certificate and Certificate
Revocation List (CRL) processing requirements. The v2.5 CML is described
in the v2.5 CML Application Programming Interface (API) document.  It
implements the 2000 X.509 Recommendation certification path verification
processing rules and SDN.706 profile. It meets the majority of the IETF
PKIX RFC 3280 Certificate/CRL Profile requirements. The v2.5 CML
Abstract Syntax Notation One (ASN.1) decodes X.509 Certificates and
CRLs.  It requires the v1.7 Enhanced SNACC ASN.1 software that is freely
available from: 
<http://www.digitalnet.com/knowledge/snacc_home.htm>.

The CML provides robust certification path building capabilities such as
using cross certificates.  The CML uses the accompanying Storage and
Retrieval Library (SRL) (optionally) to provide local certificate and
CRL storage management functions.  The SRL (optionally) provides remote
directory retrieval capabilities using the Lightweight Directory Access
Protocol (LDAP).

The CML has been thoroughly tested including validating X.509
Certificates and CRLs created by a variety of Certification Authority
(CA) products, and signed using the Digital Signature Algorithm (DSA)
and RSA algorithms.  Further enhancements, ports and testing of the CML
are still in process.  Further releases of the CML will be provided as
significant capabilities are added. 

CML v2.5 includes the following enhancements (compared to v2.4 CML
release):

1. Enhanced path validation functions to allow a date to be specified
which is used as the validation date/time.
 
2. Added capability to return CRLs or OCSP responses that are used
during certificate path validation. 

3. Added Online Certificate Status Protocol (OCSP) client library, using
OpenSSL, to check revocation status of certificates using OCSP. 

4. Added new path validation error code, CM_INVALID_POLICY_MAPPING, that
is returned when a CA cert contains an invalid policy mapping (i.e.
either a policy is mapped from or to the special any-policy.)

All source code for the CML is being provided at no cost and with no
financial limitations regarding its use and distribution. Organizations
can use the CML without paying any royalties or licensing fees.  The CML
was originally developed by the U.S. Government.  BAE Systems is
enhancing and supporting the CML under contract to the U.S. Government.
The U.S. Government is furnishing the CML software at no cost to the
vendor subject to the conditions of the CML Public License provided with
the CML software.
  
The CML makes calls to PKCS #11-compliant libraries for cryptographic
support. BAE Systems provides a PKCS #11 implementation of Wei Dai's
Crypto++ < http://www.eskimo.com/~weidai/cryptlib.html> for use with the
CML. The underlying, external crypto libraries are not distributed as
part of the CML software. 

The CML has been successfully tested with the v2.5 S/MIME Freeware
Library (SFL) that is freely available from 
<http://www.DigitalNet.com/knowledge/sfl_home.htm>. 

The CML has been successfully tested with the v2.5 Access Control
Library (ACL) that is freely available to everyone from: 
<http://www.DigitalNet.com/knowledge/acl_home.htm>.

The CML has been successfully used to build and verify certificate paths
used in the Bridge Certification Authority (BCA) demonstration which
includes cross-certified hierarchical and non-hierarchical PKIs. The BCA
Interoperability Test Suite (BITS) is a free and openly available test
resource provided to facilitate vendor development of secure,
interoperable Public Key Enabled applications. The CML has been used to
successfully develop and verify the BITS X.509 certification paths
available from <http://bcatest.atl.DigitalNet.com>. 

The National Institute of Standards and Technology (NIST) is  providing
a standard test suite of X.509 certificate paths
<http://csrc.nist.gov/pki/testing/x509paths.html> that can be used for
testing applications against RFC 2459. The CML was used to successfully
process the NIST test data.

The CML meets the requirements stated in the SDN.706 Certificate/CRL
Profile required by the U.S. Defense MessageSystem (DMS) project.

The Internet Mail Consortium (IMC) has established a CML web page
<http://www.imc.org/imc-cml> and a CML mail list which is used to: 
distribute information regarding CML releases; discuss CML-related
issues; and allow CML users to provide feedback, comments, bug reports,
etc. Subscription information for the imc-cml mailing list is at the IMC
web site listed above. 

All comments regarding the CML source code and documents are welcome.
This CML release announcement was sent to several mail lists, but please
send all messages regarding the CML to the imc-cml mail list ONLY.
Please do not send messages regarding the CML to any of the IETF mail
lists. We will respond to all messages sent to the imc-cml mail list. 

-- 
Tom Horvath
BAE SYSTEMS Information Technology
www.BAESystems.com

Prev by Date: SFL/CML/ACL/eSNACC Support
Previous by thread: SFL/CML/ACL/eSNACC Support
Index(es):
- Date
- Thread